Software

A security researcher who goes by the handle Siguza dropped a macOS vulnerability last December 31 without notifying Apple in advance. The bug is said to affect macOS versions as early as 2002, or may even be earlier. The bug is a local privilege escalation (LPE) flaw that gives root access to an attacker who already has a foothold on the computer. Siguza published his findings on the flaw which affects the IOHIDFamily macOS kernel driver on Github. Siguza said that he would have submitted the bug to Apple had it been included in the bug bounty program, or if […]

Music streaming giant Spotify was recently sued for allegedly using songs without a license and compensation to music publishers. A company called Wixen Music Publishing Inc. filed the suit which seeks $1.6 billion in damages in a California federal court. Wixen holds exclusive rights to songs such as Free Fallin” by Tom Petty, “Light My Fire” by the Doors, (Girl We Got a) Good Thing by Weezer and works of artists such as Stevie Nicks. Spotify had already paid $43 million in a previous class action lawsuit which alleged that the company had failed to pay royalties for some of […]

Last week, Mozilla announced that it will be deleting telemetry data which were inadvertently collected due to a flaw in Firefox’s crash reporter. It was found that these crash reports are not fully anonymized and include sensitive data that may identify the user. Mozilla engineers revealed that Firefox had been sending back crash data automatically since the release of version 52, way back in March 2017. They added that they had to delete all the data, even the ones from those who agreed to send back reports, since they could not distinguish the difference between the reports. Users and […]

Security researchers from White Fir Design recently warned that hundreds of WordPress sites are still using “boobytrapped” plugins that make them vulnerable to remote code execution by attackers. The plugins are said to have a code embedded in them which, according to experts, do not seem to have a legitimate purpose. The discovery was tied to a blog post by a web developer who first encountered the code way back in 2014. However, the White Fir team said that they are still getting requests from various IP addresses trying to access the code. The malicious plugins have already been removed […]

Last Tuesday, German pen-testing company SySS GmbH revealed that it is possible to use even a low-res printed photo to trick Windows 10’s facial recognition system. Windows Hello, a feature which is only available on Windows 10, can be used to unlock computers without requiring a password. SySS researchers said that they were able to unlock several Windows devices using only a laser color printout of a low-resolution (340×340 pixels) photo of the device owner’s face. The researchers added that Microsoft had already delivered a patch to address the issue, but only for Windows 10 branches 1703 and 1709. Source: […]

In the latest Patch Tuesday for this month, Microsoft issued an Office update that disables Word’s Dynamic Data Exchange (DDE) feature to prevent attackers from using it to install malware. DDE allows Word to pull data from other Office applications such as Excel. However, it has been used by several malware campaigns in the 90’s, and once again in the past few months. It is said that malware distributors adopted a new method of using DDE from a tutorial published by security researchers from SensePost which showed how the feature can be weaponized for malware delivery. Microsoft also advised users […]

An Israeli ad-tech firm TargetingEdge was recently revealed to have sent cease-and-desist letters to researchers at Cybereason, threatening to take legal action if the security researchers publish their findings on the “sneaky” OSX.Pirrit adware. Last Tuesday, principal researcher at Cybereason Amit Serper divulged in his writeup how the OSX.Pirrit tricks users into providing root privileges to the adware’s installer, which downloads files used to maintain the malware’s persistence on the infected computer. The adware also attempts to appear as a legitimate macOS function and uses AppleScript to inject ads directly into the browser. Serper was also able to establish that […]

A Turkish software developer recently took to Twitter and exposed one of the biggest security flaws to be discovered on MacOS. Lemi Orhan Ergin tweeted last Tuesday of a flaw that allows anyone to gain root access to computers running High Sierra just by entering username “root” under Users & Groups, even without a password. Users with root access will be able to take full control of the system, and it was previously thought that this was disabled by default on Apple systems. Ergin was criticized by a number of users for not disclosing the issue privately with Apple. However, […]

A number of games featuring the likeness of Philippine President Rodrigo Duterte and PNP Chief Ronald ‘Bato’ dela Rosa had been removed from Apple’s app shop. Drug advocacy group Asian Network of People Who Use Drugs (Anpud) recently noted that several Duterte-related games such as Duterte knows Kung Fu: Pinoy Crime Fighter, Duterte Running Man Challenge Game, Fighting Crime 2, Tsip Bato: Ang Bumangga Giba! Can no longer be found on the App Store. Anpud had previously called on Apple and its CEO Tim Cook to remove the games, saying that the apps promoted murder, extrajudicial killings, and violence. The […]

Earlier this week, a study conducted by the Yale Privacy Lab and Exodus Privacy identified around 300 Android apps embedded with invasive trackers which record user activity without user consent. The researchers found tracking scripts not only in lesser known apps, but also in highly popular apps such as Uber, Twitter, Tinder, Soundcloud, and Spotify. While some of the trackers such as Google’s CrashLytics collect only crash reports, a number of others collected sensitive data such as user details and app usage info. The study said that the issue is also likely to be present in iOS. A list of […]

Subscribe to Elegal

Contact Us

Need more information on Philippine laws and legal updates? Contact us at elegal@disini.ph

About Us

This blog is the embodiment of a vision we have at Disini & Disini (D&D) of an IT empowered citizenry where we, as a people, harness information available through the internet to bridge the gaps where there may be lapses. As part of our advocacy, we take full advantage of the accessibility of cyberspace by developing this blog.